Firefox update policy: the enterprise is wrong, not Mozilla

Now that Mozilla has released Firefox 5, version 4, just three months old, is …

Three months ago, Mozilla released the long-awaited Firefox 4. Last week, the organization shipped the follow-up release: Firefox 5. Firefox 5 was the first version of the browser to be released using Mozilla's new Firefox product lifecycle, which would see a new version of the browser shipping every three months or so. The new policy has been publicized for some months, and so the release of Firefox 5 was not itself a big surprise. What has caught many off-guard is the support, or lack thereof. With the release of Firefox 5, Firefox 4—though just three months old—has been end-of-lifed. It won't receive any more updates, patches, or security fixes. Ever. And corporate customers are complaining.

The major problem is testing. Many corporations have in-house Web applications—both custom and third-party—that they access through their Web browsers, and before any new browser upgrade can be deployed to users, it must be tested to verify that it works correctly and doesn't cause any trouble with business-critical applications. With Mozilla's new policy, this kind of testing and validation is essentially impossible: version 5 may contain critical security fixes not found in version 4, and with version 4 end-of-lifed, the only way to deploy those fixes is to upgrade to version 5. That may not be an issue this time around, but it's all but inevitable that the problem will crop up eventually.

Testing overhead

That makes things awkward for the companies who need to validate browser releases. Rolling out security updates with minimal testing is, in theory, generally pretty safe, because security updates are narrow in scope, and because the risk of the alternative—running a known-exploitable browser—is worse than the risk of something breaking. With those security updates now inextricably linked to other, nonsecurity updates, some enterprise users are expressing the fear that their task is now impossible. The other updates included with the security fixes mean that each release is so large that it must be tested thoroughly, but the rapid release schedule means there's no time to do so.

This has some corporate users of the browser feeling very unhappy. Though the release itself came as little surprise, the consequences it would have for version 4 were not generally understood until it was too late. They didn't realize that they would no longer have access to security fixes for Firefox 4, and now have to test all over again for Firefox 5. And to make matters worse, future updates will probably come out even more frequently; a six week cycleis the goal.

These enterprise customers are plainly unhappy, and some commentators are suggesting that Mozilla is alienating its enterprise customers and in effect signing its own death warrant.

Flawed assumptions

But is this really the right response to take? We're not so sure that it is.

Let's be clear: the enterprise has never been Mozilla's number one priority. If it were, thispair of bugs wouldn't still be open more than half a decade after they were first filed. For enterprises, deployment and patch management using MSIs and configuration control using GPOs, are bread-and-butter stuff. They're a hallmark of enterprise readiness. Internet Explorer—surely the king of enterprise browsers—has this kind of support in spades. Chrome, too has some amount of enterprise support.

I'm sure both of those bugs will be fixed eventually. The work will get done. But enterprise users should take note: they're not the priority, and never have been. This should not be regarded as surprising.

But what of those organizations that use Firefox anyway? How are they going to cope now that they will have to do all this extra testing?

The answer to that is: the same way they always have done. The reality is that Firefox minor updates have never been restricted to pure security fixes. If organizations thought that they could get away with performing only minor testing of the 18 minor updates that Firefox 3.6 has received in just 15 months, they were mistaken. Firefox minor releases have long contained stability and compatibility updates. Sometimes there are even feature changes: 3.6.4 introduced a new system whereby plugins were run in a separate process, and 3.6.9 introduced support for new countermeasures against a certain type of security flaw.

These kinds of changes could absolutely cause compatibility issues with business sites and applications. For businesses that needed to perform extensive validation of the browser before deploying it, then both of these updates would require new validation. And in both cases there was no way of avoiding the new features; there were few "pure security" updates made to 3.6. The implication that the new policy somehow changes something about the nature of Firefox updates—and hence the testing burden—just isn't true.

Combining security fixes with broader compatibility and stability fixes or new features is not unique to Firefox, either; Google does the same for Chrome, and even the latest security update to Internet Explorer 9 includes a minor nonsecurity update that resolves a bug with downloading files. The isolated pure security fix just isn't a feature of the Web browser landscape.

Meaningless numbers

Some have said that the testing problem is a result of Mozilla's decision to bump the major version number—with the implication that their company's testing procedures are driven not by an assessment of what's actually changed but by a mere version number, as if the major version increasing meant that there must be major changes.

Mozilla could have chosen a better mechanism to distinguish between versions than a major version number bump—for example, if they had used a date-based numbering scheme then it's likely that this (flawed) inference would no longer be made. But it didn't, and the result is that an increase of the major version number doesn't necessarily imply major changes under the hood.

Mozilla certainly isn't the first to do this. The next version of the Linux kernel will be version 3.0, from the current 2.6.39.2, but this major version update doesn't denote major changes. It might just as well have been version 2.6.40, or 2.8, or something else entirely; it was simply the preference of Linus Torvalds that the major version should, after many years, be increased.

Nor is Mozilla the first major open source project to use a time-based release model instead of a feature-driven one. The Ubuntu Linux distribution has made twice-annual releases, with major version numbers that increment accordingly, since its inception. The user community understands this and responds accordingly.

The corporate response to this change in numbering policy should be trivial: base testing on what has changed rather than what the number is. Any other policy has never been consistent with the way the browser is actually updated. At worst, the new update policy is simply highlighting flaws in existing corporate practices.

346 Reader Comments

Enterprise admins are way too anal about testing. Do like facebook, give 5% of the users access then wait for the fallout. That way the impact on productivity is limited and IT isn't tied up doing monotonous testing.

Firefox is getting it's lunch eaten by Chrome and the version numbering mess is a pathetic attempt to play me-too. Enterprise IT is ultimately beholden to people who don't understand and don't care why Mozilla is bumping the major version number, just that they are.

The only thing remotely compelling about Firefox anymore (and this is coming from someone who didn't switch to Chrome until v7 or so) is their extension model - but Chrome is better at basically everything else. It's slow and their UI is only marginally better than IE9.

This is why you never see IE 9.1, 9.5, etc. Microsoft might move to 12-18 month release cycles for IE, and some corporations may skip every other version as a result of onerous full-compatibility testing requirements or desires, but you'll never see a build every 6 months out of Microsoft intended for the end user.

The only thing remotely compelling about Firefox anymore (and this is coming from someone who didn't switch to Chrome until v7 or so) is their extension model - but Chrome is better at basically everything else. It's slow and their UI is only marginally better than IE9.

Meet the new Netscape, quickly becoming same as the old Netscape.

FF is only slightly slower and uses a lot less memory(with the same amount of tabs) for me then Chrome(unless you open just a little amount of tabs). I seriously prefer FF's UI over Chrome's UI; with FF I can find everything.

They did this to change having FF x.x installed to having FF installed, with the assumption of it being the newest version, like Chrome.

This article misses one major point for me: What about large corps developing customer facing UI's? Online checking, e-commerce, etc. Its not just internal apps that are a problem. Most testing I know of is done with a 'top five' methodology, with the top five browsers/versions getting all primary testing, and others getting nothing but a sanity check. With FF splintering like this(as opposed to Chrome, which auto updates virtually everyone very quickly) it drops marketshare below the top five. I wouldn't be suprised if FF4 is lower than Opera very quickly.

I would much prefer some numbering scheme that related to major technology deployments and/or API changes that broke important plug-ins (for me, xdebug and Zotero). CSS animations are okay, but not that major imho.

(Honestly, if these examples are what it gets used for, that would be another reason to switch browsers! It's worse than old-school scrolling text banners.)

Enterprise admins are way too anal about testing. Do like facebook, give 5% of the users access then wait for the fallout. That way the impact on productivity is limited and IT isn't tied up doing monotonous testing.

I work IT for a school district and in the Army Reserves and for these two organizations, this idea is full of fail. Not be insult your opinion, as I think that it makes sense in the right environment. But since many school districts uses Pearson products (Power School, etc), and they all use browsers to access FERPA information, I really can't afford to push out anything that hasn't been completely vetted. We're talking web access to15,000 SSNs, addresses and full names. I've never encountered a FF exploit which steals data, but the last thing I need is some unknown exploit to give someone access to that information.

As a soldier, I absolutely can't allow any device on my network that hasn't been thoroughly tested. People's lives depend on security and 6 weeks isn't enough time for my shop to verify that FF is safe to use on government PCs.

The only thing remotely compelling about Firefox anymore (and this is coming from someone who didn't switch to Chrome until v7 or so) is their extension model - but Chrome is better at basically everything else. It's slow and their UI is only marginally better than IE9.

Meet the new Netscape, quickly becoming same as the old Netscape.

FF is only slightly slower and uses a lot less memory(with the same amount of tabs) for me then Chrome(unless you open just a little amount of tabs). I seriously prefer FF's UI over Chrome's UI; with FF I can find everything.

They did this to change having FF x.x installed to having FF installed, with the assumption of it being the newest version, like Chrome.

The problem is that 4GB of RAM is effectively the norm for your typical PC these days, and with Vista/Win7's memory management, who gives a shit about a few hundred meg here or there? Your average joe never comes close to actually saturating 4GB of RAM.

On the UI, that's certainly a matter of personal preference. I've become so used to Chrome's universal address/search/etc. bar that when I do need to drop to FF for something it annoys me pretty quickly. Chrome's single Wrench menu can be annoying until you figure out where everything is, I won't argue there. And not having Print Preview until v13 was just laziness.

Business users are generally more worried about running their business than they are about playing games with software developers. The answer to Mozilla is simple. Just say no. No software organization is generating worthwhile new function at a rate that justifies the disruption of updates every three months. That is why I no longer have Java or Silverlight on my system. I don't want organization like Adobe or Hewlet Packard continually trying to dump their low grade software on my system. I am stuck with updating Flash and at least Microsoft's security updates. But I have not seen anything from anyone in years that really improved my computing experience.

Mozilla can feel however it wants; their products are still unwelcome on our systems. My users are perfectly satisfied with IE8, and will likely soon be getting IE9. Oh, sure, there's no giant library of add-ons, but these are not people's personal computers, and they're here to work, not play. They can fiddle with FireFox and Chrome on their own time.

The downside is that changing the enterprise is hard. Writing to proprietary frameworks like Silverlight and Flash/Flex with stable version numbers is almost as easy as writing to standards, and there's no need to challenge anyone up the chain about an issue they will perceive as a loss of control.

rotational wrote:

The only thing remotely compelling about Firefox anymore (and this is coming from someone who didn't switch to Chrome until v7 or so) is their extension model - but Chrome is better at basically everything else.

Yeah, and the only thing remotely compelling about Windows anymore is the ability to run win32 applications, OSX is better at basically everything else (and Ubuntu is better at nearly everything else, and free). Sometimes "the only thing" is the only thing that matters to a lot of people...

On the UI, that's certainly a matter of personal preference. I've become so used to Chrome's universal address/search/etc. bar that when I do need to drop to FF for something it annoys me pretty quickly.

Uhm, the Firefox address bar has been a "universal address/search/etc bar" since 2.0 or maybe 3.0. The "search bar" in FF has been redundant and pointless since then.

Are people still trying to use the address bar and the search bar separately in FF? Really?

Red Hat and Canonical CANNOT make their own LTS Firefox. Mozillas trademark will not allow that. That is well known in the FOSS community. Ryan would have known ;-P

They could do an Iceweasel LTS however.

Well, true, but I don't think that's an important detail. Although I would assume there would be a facility for Mozilla to license the trademark to them, if it wanted to make official the hypothetical "Firefox LTS" builds.

Fuck 'the enterprise', fuck it right up its self-righteous, self-important ass. This is another facet of 'the enterprise' slowly but surely collapsing because of 'the enterprise' bullshit it mired itself in. The Enterprise stagnated technological development for more than a decade. Real technology doesn't need The Enterprise. Apple posts quarterly profits that other companies can only dream of, and they don't give two fucks about The Enterprise. Microsoft was beholden to that mire of shit for decades and it put them in an incredibly bad spot of legacy from The Enterprise that never, ever wanted to change. The Enterprise would run Windows NT with IE6 forever if it could, and the entire rest of the would would suffer greatly. Including Microsoft when The Enterprise does what it does and abandons Microsoft when it feels like it, and Microsoft is left holding the bag. Same with every other tech company since IBM.

So fuck em'. The quote of 'Mozilla is going to die because we, The Almighty Enterprise, control the entire universe' is completely poignant of the whole situation.

From Jason Fried of 37Signals: We don't target Fortune 500, we target Fortune 500,000. And 37Signals is immensely profitable and innovative. They're just one of many that are out there, doing awesome things and giving a gigantic middle figer outlined in red neon to The Enterprise.

Fuck them. Anything that makes them whine and squeal makes me very happy. "It is not the strongest of the species that survives, nor the most intelligent that survives. It is the one that is the most adaptable to change."

And you know what? It's not that goddamn hard to write a web client that works perfectly fine in all browsers these days. There may be quirks in JS or HTML engines, but all in all it generally works fine. Millions of millions of sites do it every single day, tens of thousands of developers and designers do it day in and day out, from teams of one to hundeds, and it all works out fine. So why the fuck can't The Enterprise, with all of it's self-important might, do the same?

I do love this example of The Enterprise. The response is the perfect example on why the mantra of the 2010s should be 'Fuck The Enterprise'

Mozilla can feel however it wants; their products are still unwelcome on our systems. My users are perfectly satisfied with IE8, and will likely soon be getting IE9. Oh, sure, there's no giant library of add-ons, but these are not people's personal computers, and they're here to work, not play. They can fiddle with FireFox and Chrome on their own time.

I obviously don't know whether that works for your company or not, but it sure as hell doesn't work for me. Hell, I'm just getting started on some basic (internal) web development at the company where I'm interning, and I already don't know what I'd do without Firebug and View Source Chart.

Some people are upset that extensions will break because they were listed as compatible to 4.*.* . I know that certain extensions I used in the past refused to support beyond a certain Fx version because they couldn't guarantee it would work (using 3.6.19 vs 3.6.*). This was annoying because they new version always worked, but after the new Fx version was released, I had to wait a week for it to be released.

If this is the complaint, it seems it has little to do with versioning, and more to do with extensions and how they are updated, and validated. I haven't tried it, but *.*.* seems like a bad choice, although it might work. If Fx 5,6,7 prevents at least the attempted use of an extension until it is updated, then that is a downside.

However, Mozilla is addressing this and working to make extensions more "future-proof" through Jetpack, etc.

On the UI, that's certainly a matter of personal preference. I've become so used to Chrome's universal address/search/etc. bar that when I do need to drop to FF for something it annoys me pretty quickly.

Uhm, the Firefox address bar has been a "universal address/search/etc bar" since 2.0 or maybe 3.0. The "search bar" in FF has been redundant and pointless since then.

Are people still trying to use the address bar and the search bar separately in FF? Really?

I use it when I'm playing a game that causes me to frequently look something up in a wiki (like Pokemon or Dragon Age). In that specific situation, I greatly appreciate the ability to quickly Ctrl + K to the search bar, which remains on Bulbapedia or Dragon Age Wiki or what-have-you.

Everyone else can of course simply remove the offending bar from the browser.

So what can enterprises do? Longer term, writing Web applications that are sympathetic to the demands placed on the Web is probably the route to take, and that means writing applications that target standards, not browsers. This isn't as simple as it ought to be, as there are still plenty of discrepancies between different browser families, but applications written in this way will be subject to much less disruption from upgrades than applications that depend on quirks.

Fuckin A right.

No sympathy here for the Byzantine, gridlocked IT policies that lead to browser-coding in the first place.

And third party vendors, listen up: your shit isn't The Cloud or even Internet-ready if it requires any one browser or another.

Any product or system that can't do its work with the standards, libraries, and frameworks that are by now mature, capable and well-understood?

The first rule of any business that serves customer is that the customer is always right. The second rule of such a business is that it is paid for the service it provides. Talking about support from an organization like Mozilla that delivers a product for free does not make much sense. The fact that a businesses can depend on organizations like IBM and Microsoft to support their products for as long as the business needs them is a large part of the reason why businesses are prepared to pay for those products.

On the UI, that's certainly a matter of personal preference. I've become so used to Chrome's universal address/search/etc. bar that when I do need to drop to FF for something it annoys me pretty quickly.

Uhm, the Firefox address bar has been a "universal address/search/etc bar" since 2.0 or maybe 3.0. The "search bar" in FF has been redundant and pointless since then.

Are people still trying to use the address bar and the search bar separately in FF? Really?

Back at ff3.0 it was basically a google I'm feeling lucky search. It would make a best guess site you wanted unless you specifically hunted down the obscure config to change it.

Are people still trying to use the address bar and the search bar separately in FF? Really?

I rather strongly prefer the search bar, especially since I regularly use five different search providers which I want to manually select. Typing random stuff in the address bar is for people who don't know any better; kinda like top-posting.

Enterprise admins are way too anal about testing. Do like facebook, give 5% of the users access then wait for the fallout. That way the impact on productivity is limited and IT isn't tied up doing monotonous testing.

Sorry to disagree - IE9 broke our firm's timekeeping app. If I had deployed it untested, however many people I gave it to would have had critical parts of their jobs shut down until we could uninstall it. But I do agree to some extent - I'm not throwing massive resources into testing, but I'm not just rolling out any software totally untested, either.

Since I'm wearing my kevlar suit, can I ask, why not just forget about Firefox on the job and let people use it on their home PCs? We use strictly IE because of the patch management with WSUS, and no one's world has ended prematurely even if they like Firefox better.

Whatever. The point is that *many* users, enterprise or not, won't keep up with major updates every few weeks. No way. You have extensions falling off left and right and people will gnaw through this once or maybe twice and then it's Chrome.

I really don't know what they're thinking. It's not that FF only has two groups of users, enterprise and geeks. The vast majority of FF users are just people who started to feel unsure about IE at some point and found FF to be a nice alternative. Piss them off and they're gone for good. Also piss off the enterprise users and then -- have fun with what's left.

I work IT for a school district and in the Army Reserves and for these two organizations, this idea is full of fail. Not be insult your opinion, as I think that it makes sense in the right environment. But since many school districts uses Pearson products (Power School, etc), and they all use browsers to access FERPA information, I really can't afford to push out anything that hasn't been completely vetted. We're talking web access to15,000 SSNs, addresses and full names. I've never encountered a FF exploit which steals data, but the last thing I need is some unknown exploit to give someone access to that information.

As a soldier, I absolutely can't allow any device on my network that hasn't been thoroughly tested. People's lives depend on security and 6 weeks isn't enough time for my shop to verify that FF is safe to use on government PCs.

You cannot prove a negative. Sure, I get that you need to do some vetting and make sure that things work ok with your internal apps (see the timekeeper app example in this thread), but all current browser security models are broken, and just like antivirus, you can't determine that there are no holes by their absence no matter how long you test it.

Until whitelisting as opposed to blacklisting becomes the standard security model, there is no "completely vetted;" there is only "I can't find anything really wrong so let's roll it." (And yes, even then there will be -some- testing necessary for compatibility purposes.)

Oh, sure, there's no giant library of add-ons, but these are not people's personal computers, and they're here to work, not play. They can fiddle with FireFox and Chrome on their own time.

Sure. Did you ever consider that someone could write an add-on or extension for FF or Chrome that could increase workers productivity? Remove some annoyances? Create some efficiency? Maybe make the day-to-day just a little more bearable.

With due respect, I know what you're saying. I do. It annoys me when people start mixing up the personal and work stuff a little tooo much. But we have a number of extensions and GM scripts for these browsers that do a tremendous amount of work for us now. We literally do more (and better) work because of them.

This article misses one major point for me: What about large corps developing customer facing UI's? Online checking, e-commerce, etc. Its not just internal apps that are a problem. Most testing I know of is done with a 'top five' methodology, with the top five browsers/versions getting all primary testing, and others getting nothing but a sanity check. With FF splintering like this(as opposed to Chrome, which auto updates virtually everyone very quickly) it drops marketshare below the top five. I wouldn't be suprised if FF4 is lower than Opera very quickly.

I'm already planning to track this closely in my monthly browser usage posts; you'll notice that for the past couple of months we've included additional graphs to show the transitions between versions. This is a policy I intend to continue.

The REAL problem is that too many "enterprise" apps are built based on IE6 still or are abusing known holes in the browsers instead of using proper programming, if the apps were coded correctly there will really not be an issue what version of what browser you use, it will just work

This article misses one major point for me: What about large corps developing customer facing UI's? Online checking, e-commerce, etc. Its not just internal apps that are a problem. Most testing I know of is done with a 'top five' methodology, with the top five browsers/versions getting all primary testing, and others getting nothing but a sanity check. With FF splintering like this(as opposed to Chrome, which auto updates virtually everyone very quickly) it drops marketshare below the top five. I wouldn't be suprised if FF4 is lower than Opera very quickly.

I'm already planning to track this closely in my monthly browser usage posts; you'll notice that for the past couple of months we've included additional graphs to show the transitions between versions. This is a policy I intend to continue.

Much appreciated, and obviously we have our own internal metrics where I'm at.

Another issue I see here is that the implication in your article is that we should be 'testing the changes', but in reality thats not at all possible. More or less we'd be asked to task a dev to track the code changes on a regular basis, and test in an ongoing fashion against the current branches given that most devs work Agile rather than Waterfall. If we are testing against the changes only after release, it turns new FF versions into essentially a release of their own, with us having to schedule testing against it specifically. In the current model we simply take current versions and validate functionality for each browser(usually side by side) which is very simple.

I don't see any way this does not drastically complicate testing. You can't just test the changes without making following FF development a task for someone, and then having others check against their knowledge when making changes. At what point do we just say "This is more hassle than its worth" and blow it off? More or less that puts the test load back on Mozilla.

There are enterprises that support ANY version of firefox? That's amazing! I've never once seen that be something official, and even then it's broken in some way, mostly layout. I've always been forced to use IE for enterprise apps. Firefox should be catering to the enterprise to remedy this, not make the problem worse.

Enterprise admins are way too anal about testing. Do like facebook, give 5% of the users access then wait for the fallout. That way the impact on productivity is limited and IT isn't tied up doing monotonous testing.

... they all use browsers to access FERPA information, I really can't afford to push out anything that hasn't been completely vetted. We're talking web access to15,000 SSNs, addresses and full names. I've never encountered a FF exploit which steals data, but the last thing I need is some unknown exploit to give someone access to that information.

As a soldier, I absolutely can't allow any device on my network that hasn't been thoroughly tested. People's lives depend on security and 6 weeks isn't enough time for my shop to verify that FF is safe to use on government PCs.

Exactly. Not all web development is about pretty pictures on the internet, some of it actually has to DO stuff. Maybe on a secretary's desktop, or an exec's blackberry or tablet, or on a soldier's system out somewhere I don't even know about -- or all three. I may grind my teeth at the fact I'm not even allowed to test my code on other browsers to future-proof it, but it beats the heck of out working for a bleeding-edge company and trying to hit a moving development target when upgrade-happy network admins push out updates without telling us, furiously trying to rewrite now-broken but critical applications or stopping all work because whatever the admins surprised us with overnight busted our development tools. (Strangely, the deadlines never stop approaching.)

The day when all browsers actually render the same will be a happy day for web developers. Until then, I'll take slow and behind the times over incessant updates. I'd love to see the tail end of IE7, but at least I'll know in advance when to expect IE8.

When I saw the title I thought this would be a Ryan Paul article. Was then surprised to see Peter's name, and almost didn't click through. The Microsoft guy will trumpet the MS & Enterprise position right?

Glad I did. Pretty balanced perspective.

I for one hope that these big slow corps down retard the progress of the web for the rest of us any more than they already have (IE6 *arghh*)

Are people still trying to use the address bar and the search bar separately in FF? Really?

I rather strongly prefer the search bar, especially since I regularly use five different search providers which I want to manually select. Typing random stuff in the address bar is for people who don't know any better; kinda like top-posting.

In Chrome, you can use alternate search engines on the fly by prefixing the query with a keyword. I'm not sure if similar functionality is available in Firefox either natively or with an extension, but, well, it's something.

Since I'm wearing my kevlar suit, can I ask, why not just forget about Firefox on the job and let people use it on their home PCs?

In a functional system, IT would provide services to the users, not try to manage them from halfway across the org chart through computer acceptable use policy. If a given employee's reporting chain doesn't pass through you, you should not be telling them what brand of tools to use.